Malicious Morocco Spambot on OVH Canada

Аватара пользователя
Fred Nurk
Сообщения: 11
Зарегистрирован: Чт май 03, 2018 11:37 pm

Re: counterfeit

Сообщение Fred Nurk » Пт май 04, 2018 12:04 am

Phishing e-mails - offering Cannabis Oil gummies or advice about heart attack symptoms. Sender domains include:

creeddeskenth.xyz
loyalpermissiondude.xyz
ordercotton.xyz

The link in all e-mails leads to a creeddeskenth.xyz page, which redirects to a site that triggers malware warnings.

All domains are registered via Name.com (who refuse to respond to reports). Registrant e-mail is tennouren@gmail.com. IP addresses are OVH Canada, who also won't acknowledge or respond to reports. IP addresses include:

54.39.41.139
54.39.32.227
54.39.34.233
54.39.41.138
54.39.41.132
54.39.34.246
54.39.34.236

Аватара пользователя
nova7
Сообщения: 263
Зарегистрирован: Пт апр 06, 2012 11:32 pm

Re: Malicious Morocco Spambot on OVH Canada

Сообщение nova7 » Сб май 05, 2018 8:06 pm

ordercotton.xyz:
http://aceinsight.websense.com "Elevated exposure"

loyalpermissiondude.xyz:
http://aceinsight.websense.com "Elevated exposure"
https://hosts-file.net/?s=loyalpermissiondude.xyz

Аватара пользователя
Fred Nurk
Сообщения: 11
Зарегистрирован: Чт май 03, 2018 11:37 pm

Re: Malicious Morocco Spambot on OVH Canada

Сообщение Fred Nurk » Вс май 06, 2018 10:59 pm

Another this morning - sent from savemalletpuerto.xyz, IP address 54.38.61.17

Аватара пользователя
NotBuyingIt
Сообщения: 3269
Зарегистрирован: Пт мар 11, 2011 6:21 pm

Re: Malicious Morocco Spambot on OVH Canada

Сообщение NotBuyingIt » Пн май 07, 2018 2:27 pm

All of the above-reported domains are currently using a virtually identical template for their websites, and the same webpages are also being served directly by the above-reported IP addresses. The same webpages are served directly from the IP addresses in the domains A records which currently include
-
  • 54.39.41.128 (loyalpermissiondude.xyz)
  • 142.44.213.87 (creeddeskenth.xyz)
  • 144.217.79.135 (ordercotton.xyz)
See the screenshot at hxxp://urlquery.net/report/e05803cc-ffe1-486f-bd76-11f79bd4c2bf
Изображение

Аватара пользователя
NotBuyingIt
Сообщения: 3269
Зарегистрирован: Пт мар 11, 2011 6:21 pm

Re: Malicious Morocco Spambot on OVH Canada

Сообщение NotBuyingIt » Пн май 07, 2018 3:04 pm

The "dummy" website template used by the above-reported domains is in wide-spread use. It isn't confined to OVH Canada. E.g., it is also used by the server for milancondera.xyz hosted at IP 80.211.129.229 on the Aruba S.p.A. network. Nor is the template confined to .XYZ top-level domains. E.g., it is also used by the server for chanelw.com hosted at IP 200.63.45.49 Panamaserver.com network.

A Google search using as a keyword the phrase "optimization of the campaign is key" will return scores of virtually identical websites. However, I have no information about any malicious aspects of such domains.

Аватара пользователя
Fred Nurk
Сообщения: 11
Зарегистрирован: Чт май 03, 2018 11:37 pm

Re: Malicious Morocco Spambot on OVH Canada

Сообщение Fred Nurk » Вт май 08, 2018 12:01 am

Happily, creeddeskenth.xyz is dead for the time being - Name.com have placed it on 'clienthold', and it now doesn't lead anywhere.

Meanwhile, the spammer is now sending directly via IP address 79.137.70.43. The phishing link leads to a waybitz.com page, which redirects to a ifehp.today page which triggers malware / fraudulent page warnings.

Registrant details for the latest batch are:

Registrant e-mail: ijmouan@gmail.com

Name: Omar IJMOUAN

Phone number: (261) 071-1178

Address:
ARD DAOULA N26 Rue 38 , 26
Tangier, Tangier 90000
Morocco

Аватара пользователя
nova7
Сообщения: 263
Зарегистрирован: Пт апр 06, 2012 11:32 pm

Re: Malicious Morocco Spambot on OVH Canada

Сообщение nova7 » Вт май 08, 2018 6:43 pm

ifehp.today is offline presently, still registered. @Fred Nurk the samples seem highly under-reported, I suggest reporting and/or forwarding--as attachments--the emails to blocklists.

Аватара пользователя
Fred Nurk
Сообщения: 11
Зарегистрирован: Чт май 03, 2018 11:37 pm

Re: Malicious Morocco Spambot on OVH Canada

Сообщение Fred Nurk » Пн май 14, 2018 5:12 am

the samples seem highly under-reported, I suggest reporting and/or forwarding--as attachments--the emails to blocklists.
I've been reporting them via SpamCop, clearly to no effect - any suggestions on which blocklists I should direct them to would be greatly appreciated...

After a break of a few days, another one this morning, again sent from bogayou.com, still redirecting via waybitz.com, with the sender IP address showing that creeddeskenth.xyz is again active.

Аватара пользователя
nova7
Сообщения: 263
Зарегистрирован: Пт апр 06, 2012 11:32 pm

Re: Malicious Morocco Spambot on OVH Canada

Сообщение nova7 » Вт май 15, 2018 2:17 am

@ Fred Nurk, I posted this for your use today.
https://forum.mywot.com /viewtopic.php?f=3&t=3136&p=263687#p263687 (there's an intentional break-space in the link due to an error in the forum formatting)

There are also malware URL, etc reporting sites and addresses to antivirus venders, that I have in my offline notes, that I haven't used much.

Аватара пользователя
Fred Nurk
Сообщения: 11
Зарегистрирован: Чт май 03, 2018 11:37 pm

Re: Malicious Morocco Spambot on OVH Canada

Сообщение Fred Nurk » Ср май 30, 2018 11:00 am

Appears to have started up again - several e-mails in the last few hours, all headed "Home Warranty". All contain a redirection link which leads to
http://zffzz.yzscwdbdxe.oyfhf.site/?sov ... c26be3c49e

Which redirects to an online gaming site - https://www.freelotto.com/register.asp? ... yoneWinsTV

Most recent spamming domain is waaowdeals.com which is registered via Name.com to

IJMOUAN OMAR
Street:63 RUE EL WAHDA , ETAGE 1, APP 9
City:CASABLANCA
State:MAROC / GRANDE CASABLANCA
Postal Code:20130
Country:MA
Phone:+212.648941431

Registrant e-mail is now o.ijmouan@gmail.com

Ответить

Кто сейчас на конференции

Сейчас этот форум просматривают: нет зарегистрированных пользователей и 2 гостя